I recently setup ssh to help look into my link up issues with DAC cables.
ssh logon banner provides this:
BusyBox v1.33.1 (2021-10-24 09:01:35 UTC) built-in shell (ash)
Which was released 3 May 2021?
The latest stable version is per https://www.busybox.net/ is
19 May 2023 -- BusyBox 1.36.1 (stable)
While nearly 2 years old, is better than 4 years old?
Any insight on why such an old version of BusyBox has been used for a brand new product?
@mentalinc Is there specific functionality that you find necessary in a newer version of busybox? We use OpenWRT 21.02 as the basis for most of our products, because it serves our needs, is a good balance between the (even older) SDK that our chipset vendors provide and modern versions of OpenWRT, and does not have any outstanding security issues (that we are aware of).
You’ll find that some custom packages are much newer than our base system, but the base system has to be held back for vendor driver compatibility. If there are security concerns, we address them immediately.
No nothing missing, was more surprised to be greeted with a 2021 date on a product launched in 2024. But understand the code lineage/limitations
Is this going to be the version long term?
For a product we’d expect to supply to customers for several years we’d not expect it to be running an end of life release already, particularly for a security appliance.
There are legal requirements for the UK
I’ll start with saying that I’m not a developer, but I feel like what version of OpenWRT the firmware is based on is somewhat irrelevent with an embedded device like the Route10. Once the device and firmware have been created the responsability falls on Alta Labs to be patching security vulnerabilities and updating packages, not OpenWRT, which renders whether the base version is supported by OpenWRT a bit moot.
I’ll also reference this post from @Alta-cmb when the Route10 was first released: https://www.reddit.com/r/AltaLabs/comments/1galq8v/comment/lvtkdqr/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
@bbz We are always trying to use the latest and greatest that open-source has to offer. We have been looking in to upgrading since the inception of the product, but there is only so much we can do when/if we veer away from what our upstream vendors support. There is a balance between functionality, support from our upstream vendors (which we lose if we veer too much, by the way), and outright security issues.
I will reiterate once again as I have in other places: there are no known security issues with the versions of packages that we are using. If a specific package is found to have a vulnerability, we will immediately upgrade that specific package and/or patch the specific flaw in source code. We are relatively proactive (compared to other vendors) in this regard.
